EP3707878B1 - Iot computer system and arrangement having such an iot computer system and an external system - Google Patents

Description

The invention relates to an IoT edge computer system, as well as an arrangement with such an IoT edge computer system and an external system or device to which this IoT computer system is connected.

Computer systems are becoming increasingly important, especially in the implementation of automation and processing tasks. With the growing connection and number of smart (end) devices and compact systems, e.g. sensors or processing and control devices that are connected to the Internet (so-called Internet of Things, or IoT for short), the amount of data is also growing must be transferred, processed, processed by the individual systems and exchanged between the systems or between a client system and a host system. This requires ever greater computing performance or “intelligence”.

In addition to data centers or cloud services (cloud servers) as such, so-called edge computing represents a promising approach to linking and connecting IoT devices or to processing the data generated by them. The computing performance or "intelligence" is transferred from the remote data center or cloud service to the immediate vicinity ("at the edge") of the IoT devices, ie at or near their place of use, in order to be directly "in front of them". Location" to collect, process, evaluate the data, etc. This means that a large amount of data can be processed directly at the place of use. Data centers or cloud services are then only necessary for the storage and further processing of a possibly reduced fraction of the data or the corresponding pre-processed information. Advantages here include, for example, a reduction in data storage costs or performance costs that arise for using the infrastructure of a data center or a cloud service from a corresponding provider, as well as a reduction in the bandwidth required to transmit the corresponding data.

To implement such edge computing, a so-called IoT computer system or edge computer system is required. This is a computer system set up and dimensioned (specifically for these purposes). An important requirement is, for example, continuous operation (so-called 24/7 operation) or reliable operation even in exposed and possibly extreme locations with challenging environmental conditions (e.g. very cold, wet, hot or dusty locations). Nevertheless, an edge computer system should ideally have a compact design and require little construction or installation space. An attractive area of application for edge computing is, for example, the application in industrial systems (so-called " Industry 4.0"), in which huge amounts of sensor data, system data, plant data, process data, control data and communication data (to name just a few) are generated. Many applications are conceivable here.

One challenge when processing a wide variety of data and information in an edge computer system is that the edge computer system may contain a wide variety of information and data types, but they are intended for completely different user groups. are permitted and provided for. Data security and data confidentiality play a very important role here. When using an edge computer system at a specific location, for example, 1) data from the computer system itself, such as telemetry data, in particular machine data, controlled variables, measured values or parameters, are generated, but also 2) data that is related to the use of the edge computer system its place of use, e.g. sensor data, control data, system data, personal data or communication data.

The data of type 1) is important, for example, for the manufacturer or IT service provider of the edge computer system or the edge computer system solution. This data can be used, for example, for so-called “predictive maintenance” of the edge computer system to improve reliability or maintenance or to better compensate for an actual failure.

The data of type 2) is important, for example, for the operator of a system using the edge computer system or the edge computer system solution. This data is created or used during ongoing operations. Corresponding data of type 1) or type 2) can therefore be highly confidential for the respective authorized parties and should or must be protected from access by unauthorized user groups. Legal regulations or data protection requirements may also apply here.

Conventional solutions using data centers or cloud services simply involve collecting all the data at the point of use and transferring this data to a single location Endpoint, e.g. in the data center or in the cloud, and further splitting of the data and further distribution, e.g. through so-called cloud-to-cloud connections. However, these solutions often only offer inadequate protection against unauthorized access to sensitive or trustworthy data. Data centers and cloud services are also an attractive target for cyber attacks because all data converges at these end points. In addition, these solutions bring with them the disadvantages explained above in connection with data centers or cloud services.

The EP 3 208 991 A1 concerns network security for IoT. In a local network, two wireless networks are set up, one for less secure IoT devices and one for more secure, conventionally connected devices, with a bridge connecting the two networks. The messaging between the two networks is tailored to reduce the risk of a network security breach where the less secure IoT devices infect the network with more secure devices.

The US 2016/328556 A1 discloses a system and method of a single machine or a cluster of machines functioning as a single machine that simplifies and consolidates the hosting of appliances using virtualization, containers and/or any form of sandboxing for hosting virtual appliances, said appliances being However, nodes can be interconnected in a way to have a centralized node that acts as a security center, firewall appliance and information distributor for not only the local virtual network(s), machines, appliances, but also for physical and external virtual networks.

The US 9,485,231 B1 discloses that a secure connection between a user's mobile device and an " Internet of Things" connected device using an Internet gateway located on the public Internet and a local gateway located on a private network behind a Firewall is located, can be provided. The user device may receive input via a software application and may generate an electronic instruction based on the input and then encrypt it and send the encrypted electronic instruction to the Internet gateway over a secure connection. Only the user device and the local gateway have encryption/decryption keys.

It is the object of the invention to describe an edge computer system of the type explained at the beginning, which enables optimal data processing for IoT applications, while at the same time improving data security of sensitive or trustworthy data for different user groups of the computer system.

This task is solved by an edge computer system according to claim 1. Further developments and refinements are disclosed in the associated subclaims.

A first virtual operating environment and a second virtual operating environment are set up in the edge computer system. The virtual operating environments are logically separated from each other. “Logical separation” means that one operating environment cannot address the other operating environment, let alone establish a (virtual) connection/network connection to it. The virtual operating environments can be set up as virtual machines, for example. The virtual operating environments can be implemented in such a way that they each behave like a complete/independent computer system (virtual computer system).

In such an edge computer system, one operating environment therefore has no access to the other operating environment. This means that data that is generated or processed in one operating environment is logically separated from data that is generated or processed in the other operating environment. Virtualization and logical separation ("sandboxing") of the operating environments achieve a separation of the data from the individual operating environments. Virtualization of the operating environments still enables the edge computer system to be set up and adapted flexibly to the respective intended use. Setting up logically separate virtualized operating environments allows the advantages of a conventional data center or cloud service to be combined with the advantages of an edge computer for processing data from IoT devices connected to it, while still ensuring data security.

In this way, data and information of various types can be recorded, processed and further transported by the edge computer system in an IoT application scenario in a high-performance yet secure manner and, above all, protected from unauthorized access. For example, a virtual operating environment can include data for a first User group, for example the manufacturer or IT service provider of the edge computer system, are determined, while the other virtual operating environment can include data that is intended for a user group different from the first user group, for example the operator of a system using the edge computer system are.

In various embodiments of the edge computer system, the virtual operating environments are each logically assigned to a communication network via at least one virtual network connection, in particular a virtual network bridge. The virtual network connections are advantageously configured in such a way that a connection establishment from the communication network that is assigned to one of the two virtual operating environments into the communication network that is assigned to the other virtual operating environment is prevented. In this way, a logical separation of the virtual operating environments can be easily achieved. By appropriately configuring the virtual network connections, a logical separation of the virtual operating environments is established. It is advantageously not possible to establish a connection from the communication network that is assigned to one of the two virtual operating environments to the communication network that is assigned to the other virtual operating environment. Thus, a user group that is permitted access to one communications network (ie the one virtual operating environment) cannot connect to the other communications network (ie the other virtual operating environment).

A respective virtual operating environment can be assigned to the corresponding communication network in a simple manner by associating a virtual network connection, in particular a virtual network bridge, with a network connection (socket) of the virtual operating environment and a network connection (socket) of the associated communication network is configured. In this way, a data connection from the virtual operating environment to the communication network and vice versa is possible. A corresponding configuration can be done, for example, using software. For example, a (virtual) IP address or an IP address space of the communication network can be assigned to the virtual operating environment, with a network switch being programmed in the virtual network bridge. In short, the virtual operating environment is “hooked” into the associated communications network. The other communication network, into which the virtual operating environment is not "mounted", is logically separated from this virtual operating environment (and thus also the other virtual operating environment).

In various embodiments of the edge computer system, at least one of the virtual operating environments is connected to at least one physical network interface by means of the at least one virtual network connection. The physical network interface is, for example, a LAN interface or a USB interface. In this way, the virtual operating environment can be connected to physical network components of the edge computer system. The physical network interface is set up, for example, as an I/O interface of the physical edge computer system. In this case, the associated communication network includes virtual components (in particular the virtual operating environment and the virtual network connection) also physical network components. The physical network interface advantageously serves to connect to one or more external devices in the IoT environment in which the edge computing system is deployed.

In various embodiments, multiple different physical network interfaces may be provided, wherein the first virtual operating environment is connected to one or more first physical network interfaces and the second virtual operating environment is connected to one or more second physical network interfaces.

In various embodiments, a basic operating system is set up on the edge computer system. This can be, for example, a Linux system with a KVM infrastructure (so-called “Kernel-based Virtual Machine”) for virtualization and control of the operating environments. The configuration of the virtual network connections is specified by the basic operating system. The base operating system serves as a control component for the virtual network connections and is therefore a key component for configuring the logical separation of the virtual operating environments.

In various embodiments of the edge computer system, the configuration of the virtual network connections is predefined by the base operating system. The edge computer system is advantageously set up in such a way that a change in the configuration of the virtual network connections is prevented by the respective virtual operating environments or from a respective communication network. The The configuration of the virtual network connections can therefore advantageously not be changed by the defined infrastructure from the virtual operating environments or communication networks. The configuration can only be specified by the basic operating system. A configuration of the virtual network connections can be specified, for example, when setting up or installing the edge computer system. For example, the configuration of the virtual network connections can be specified by the manufacturer.

Configuration data for configuring the virtual network connections is advantageously stored in a protected area of the edge computer system, the area being secured against changing access by the virtual operating environments or from the associated communication networks. Such protection can be achieved, for example, by write protection of the protected area. The (write) protection can be set up in such a way, for example by a higher-level user (superuser), so that the (write) protection cannot be canceled after it has been set up by users or programs or applications that have access/authorizations with regard to the virtual operating environments or with regard to communication networks. The protected area can also be secured by further security measures such as encryption, signing, authentication via keys (credentials), etc. It is conceivable that the protected area is set up in a specially (physically and/or logically) secured memory (area) within the edge computer system. In this way, a logical separation of the virtual operating environments is fixed and cannot be circumvented.

In various embodiments of the edge computer system, the base operating system is set up in such a way that a connection from one of the communication networks, in particular from the respective virtual operating environments, to the base operating system is prevented. This represents a further security measure against manipulation of the edge computer system to override the mechanisms shown. Furthermore, this prevents any manipulation or disruption within a virtual operating environment from propagating into another virtual operating environment.

In various embodiments of the edge computer system, the virtual operating environments each have one or more firewalls. These are set up to control the establishment of a connection from or to a respective virtual operating environment from or into the logically assigned communication network. The firewalls can, for example, specify filter rules, in particular port and/or IP address filter rules, which control connection establishment accordingly. These filter rules can be specified by the virtual operating environments. In this way, access to or responsiveness of the virtual operating environments can be selectively controlled. This means that the virtual operating environments are protected against unwanted or even malicious access. Optionally, the firewalls of the virtual operating environments can be controlled using the basic operating system.

In various embodiments of the edge computer system, one or more virtual (software) applications are available within the virtual operating environments Provision of predetermined functionalities set up. The applications can, for example, be functionally adapted to one or more tasks or functionalities of external devices. For example, the applications can provide functionalities such as capturing, processing, processing, assigning, comparing, extracting, converting, exporting, importing, etc. of data. For this purpose, the individual virtual operating environments can, for example, have special applications/applications of artificial intelligence (AI) or complex data processing, such as so-called CEP applications (complex event processing).

In various embodiments of the edge computer system, at least one third virtual operating environment is set up in addition to the first and second virtual operating environments. The third virtual operating environment is logically linked to one of the two virtual operating environments. For example, the third virtual operating environment is logically linked to the second virtual operating environment, while it is logically separated from the first virtual operating environment. The third virtual operating environment can advantageously expand or supplement the functionality provided by the second virtual operating environment. For example, it is possible for the second and third virtual operating environments to provide different processing levels or stages for data processing, with the data being exchanged between the second and third virtual operating environments. However, this data remains logically separated from data within the first virtual operating environment.

The third virtual operating environment is advantageously logically linked to the corresponding one of the two virtual operating environments (e.g. with the second operating environment, see above) via at least one virtual network connection, in particular a virtual network bridge. To connect the third virtual operating environment via the virtual network connection, the information explained above applies analogously to the virtual network connections of the first and second operating environments. Through a virtual network connection between the third operating environment and the further operating environment logically linked to it (e.g. the second operating environment, see above), a (partial) virtual communication network is set up between these two virtual operating environments, so that the virtual operating environments are connected to each other and, if necessary, externally , e.g. with external devices, can communicate.

In various embodiments of the edge computer system, the first virtual operating environment is set up as a manufacturer environment for recording, processing or querying (internal) system data of the edge computer system or external systems or devices, in particular machine data, controlled variables, measured values or parameters . The first virtual operating environment collects and processes telemetry data from the edge computing system itself or from external systems or devices connected to the edge computing system. For this purpose, the first virtual operating environment can have components, in particular acquisition, processing or query components, such as sensors, applications, management controllers, kernels, buses, etc., or can draw on physical resources of the edge computer system. Using the first virtual operating environment, a manufacturer can easily Collect and evaluate data from the edge computer system or external systems or devices, e.g. for predictive maintenance. For this purpose, the first virtual operating environment can be connected to an external physical maintenance network via a physical network interface. This can be, for example, an OPC UA network (OPC UA stands for "Open Platform Communications Unified Architecture").

In various embodiments of the edge computer system, the second virtual operating environment is set up as an operator environment for recording or processing or controlling (external) operating data from or for external systems or devices, in particular sensor data, control data, system data, personal data, in particular biometric data, or communication data from or for the external systems or devices. The second virtual operating environment processes data from and to external devices, systems or systems to which the edge computer system is connected at the site. For this purpose, the second virtual operating environment can have components, in particular acquisition, processing or query components, such as sensors, applications, management controllers, kernels, buses, etc., or can draw on physical resources of the edge computer system. Using the second virtual operating environment, an operator of the edge computer system can control the external components or devices of his system or system connected to it. For this purpose, the second virtual operating environment can be connected to one or more external physical control networks via a physical network interface. These can include, for example, a LAN network, USB network or a special control bus network such as MODBUS.

The edge computer system explained here is advantageously used within an arrangement according to claim 13. The arrangement has the edge computer system of the type explained and at least one external system or device to which the edge computer system is connected. The first virtual operating environment is logically linked to the external system or device. The second virtual operating environment can be set up logically separately from the external system or device. Alternatively, the second virtual operating environment can also be logically linked to the external system or device. This logical link is advantageously implemented in such a way that no manipulative impairment of a logical separation of the first and second virtual operating environments is possible or at least made much more difficult. In this way, the functionality of the edge computer system explained here is preserved. For example, it can be specified that no data to be protected or confidential is issued to the external system or device from the first and second virtual operating environments, but only control data. Alternatively or additionally, respective connections between the external system or device and the respective first and second virtual operating environments can be specially secured. For this purpose, security measures such as encryption, signing, protocol changes, firewalls, etc. can be considered in order to prevent or make access to confidential data within one of the virtual operating environments by the other virtual operating environment very difficult and to ensure a logical separation of the two operating environments .

The external system or device can be, for example, a sensor, a control device (e.g. a programmable logic controller, PLC) or a processing, management or data server, in particular a cloud server, or a combination of such systems or devices.

The arrangement can advantageously be developed in such a way that the edge computer system is connected to at least one further external system or device, with the second virtual operating environment being logically linked to the further external system or device. The first virtual operating environment can be set up logically separately from the other external system or device. Alternatively, the first virtual operating environment can also be logically linked to the further external system or device. This logical link is advantageously implemented in such a way that no manipulative impairment of a logical separation of the first and second virtual operating environments is possible or at least made much more difficult. In this way, the functionality of the edge computer system explained here is preserved. For this purpose, the measures explained above can be applied analogously.

The further external system or device can also be, for example, a sensor, a control device (e.g. a programmable logic controller, PLC) or a processing, management or data server, in particular a cloud server, or a combination of such systems or devices.

The invention is explained in more detail below using an exemplary embodiment with the aid of a drawing.

The figure shows an IoT computer system 1. The IoT computer system can also be referred to as an edge computer system become. The IoT computer system 1 has a first virtual operating environment 2, a second virtual operating environment 3 and a third virtual operating environment 4. The virtual operating environments 2, 3, 4 are organized/set up, for example, as virtual machines within the IoT computer system 1.

The virtual operating environments 2, 3, 4 can be implemented in such a way that they each behave like a complete/independent computer system (virtual computer system). The virtual operating environments 2, 3, 4 each provide application-specific functionalities for the operation of the IoT computer system 1. The IoT computer system 1 is connected to various external devices or systems. For this purpose, a webcam 13, a programmable logic controller (PLC) 14, a management or maintenance server 15 and a cloud server or cloud service 16 are shown as examples. The external devices 13, 14, 15 and 16 can be connected to the Communicate with IoT computer system 1 and exchange data with it.

The first virtual operating environment 2 is set up as a manufacturer environment for recording, processing or querying internal system data of the IoT computer system 1, in particular machine data, controlled variables, measured values or parameters of the IoT computer system 1. Telemetry data is transmitted through the first virtual operating environment 2 of the IoT computer system 1 itself recorded and processed. For this purpose, the first virtual operating environment 2 has virtual components, in particular acquisition, processing or query components, such as sensors, applications, management controllers, kernels, buses, etc., or draws these from physical resources of the IoT computer system 1 . Using the first virtual operating environment 2, a manufacturer can easily collect and evaluate data from the IoT computer system 1, for example for predictive maintenance. For this purpose, the first virtual operating environment 2 is connected via virtual network connections, for example virtual network bridges, 6 and 7 as well as via physical network interfaces 11 and 12 connected to them one or more external physical maintenance or management networks are connected. The physical network interfaces 11 and 12 are, for example, LAN interfaces of the IoT computer system 1. A firewall 17 is interposed between the first virtual operating environment 2 and the virtual network connections 6, 7, which is controlled by the first virtual operating environment 2 and protects this against unauthorized connections from or into the external physical maintenance or management networks.

The first virtual operating environment 2 is connected to the management or maintenance server 15 via the network interface 11. This connection can be, for example, an OPC UA network. The management or maintenance server 15 is, for example, an OPC UA server. The first virtual operating environment 2 is connected to the cloud server or cloud service 16 via the network interface 11. In this way, the first virtual operating environment 2 and the devices 15 and 16 form a communication network (manufacturer network).

The second virtual operating environment 3 and the third virtual operating environment 4 are set up as a common operator environment for acquiring or processing or controlling external operating data from or for the further external systems or devices 13 and 14, in particular sensor data, control data, system data , personal data or communication data from or for the external systems or devices 13, 14. The second and third virtual operating environments 3, 4 thus process data from and to the external devices 13, 14. For this purpose, the second and third virtual operating environments 3, 4 have virtual components, in particular acquisition, processing or query components, such as sensors, Applications, management controllers, kernels, buses, etc. access or draw on physical resources of the IoT computer system 1. By means of the second and third virtual operating environments 3, 4, an operator of the IoT computer system 1 can control the external devices 13, 14 of his system or system connected to it.

The second virtual operating environment 3 is logically connected to the third virtual operating environment 4 via one or more virtual network connections, for example virtual network bridges, 5. This means that the second and third operating environments 3, 4 can communicate with each other and exchange data. Furthermore, the second operating environment 3 is connected to the device 13 via one or more virtual network connections (not explicitly shown in the figure) and via a physical network interface 9 connected to it. The third virtual operating environment 4 is connected to the device 14 via one or more virtual network connections, for example virtual network bridges, 8 and via a physical network interface 10 which is in turn connected to it. A firewall 17 is interposed between the second virtual operating environment 3 and the virtual network connection 5, which is controlled by the second virtual operating environment 3 and protects it against unauthorized connections from or into the virtual network connection 5. A firewall 17 is interposed between the third virtual operating environment 4 and the virtual network connections 5 and 8, which is controlled by the third virtual operating environment 4 and protects against unauthorized connections from or into the virtual network connection 5 or into the external network Device 14 is secured.

The physical network interface 9 is, for example, a USB interface, while the physical network interface 10 is, for example, a LAN interface of the IoT computer system 1. In this way, the second and third operating environments 3, 4 are connected both to each other and via physical network interfaces to one or more external physical control or data networks (from and to the devices 13 and 14). These include a LAN network, USB network or a special control bus network, e.g. between the device 14 and the IoT computer system 1. The control bus network can include, for example, a MODBUS network. In this way, the second and third virtual operating environments 3, 4 and the devices 13 and 14 form a communication network (operator network).

A higher-level control or configuration of the individual virtual operating environments 2, 3, 4 or the virtual network connections 5, 6, 7, 8 between the virtual operating environments 2, 3, 4 or the external devices 13, 14, 15, 16 takes place via a base operating system (not explicitly shown) of the IoT computer system 1. The base operating system can be, for example, a Linux system with an integrated KVM system. The basic operating system specifies in particular a defined configuration of the virtual network connections 5, 6, 7, 8. This configuration is advantageously predetermined in such a way that it cannot be changed by the individual virtual operating environments 2, 3, 4 or by the external devices 13, 14, 15, 16 or generally from the corresponding networks. For example, the configuration of the virtual network connections 5, 6, 7, 8 is specified when setting up or installing the IoT computer system 1. Eg can The configuration of the virtual network connections 5, 6, 7, 8 can be specified by the manufacturer.

Configuration data for configuring the virtual network connections 5, 6, 7, 8 are advantageously stored in a protected area of the IoT computer system 1, the area being protected against changing access by the virtual operating environments 2, 3, 4 or from the associated communication networks of and to the external devices 13, 14, 15, 16 is fused. Such protection can be achieved, for example, by write protection of the protected area. The (write) protection can be set up in such a way, for example by a higher-level user (superuser), so that the (write) protection cannot be canceled after it has been set up by users or programs or applications that have access/authorizations with regard to the virtual operating environments 2, 3, 4 or with regard to the communication networks from and to the external devices 13, 14, 15, 16. The protected area can also be secured by further security measures such as encryption, signing, authentication via keys (credentials), etc. It is conceivable that the protected area is set up in a specially (physically and/or logically) secured memory (area) within the IoT computer system 1.

The configuration of the virtual network connections 5, 6, 7, 8 is predetermined such that there is no logical connection between the first virtual operating environment 2 and one of the second or third virtual operating environments 3, 4. This means that the first virtual operating environment 2 is different from the second and third virtual ones Operating environment 3, 4 is logically separated. It is not possible to establish a connection in both directions between the first virtual operating environment 2 and one of the second or third virtual operating environments 3, 4. This is achieved by not setting up a logical network connection (socket) within the virtual network connections 5, 6, 7, 8 that allows a connection between the first virtual operating environment 2 and one of the second or third virtual operating environments 3, 4. This in turn means that it is not possible to establish a connection from one of the external devices 13 and 14 to the first virtual operating environment 2 or to establish a connection from one of the external devices 15 and 16 to one of the second or third virtual operating environments 3, 4 .

In this way, a manufacturer environment, implemented by the first virtual operating environment 2, is logically separated from an operator environment, implemented together by the second and third virtual operating environments 3, 4. Confidential or data worthy of protection is therefore within the manufacturer environment logically separated and separated from data within the operator environment. An authorized user, device, system or software program within the manufacturer environment has no access to data within the operator environment and vice versa. Such access is prevented due to the lack of a defined or deliberately prevented network connection. The manufacturer environment can only communicate with the devices 15, 16 via the network connections 6, 7, 11, 12. The operator environment can only communicate with the devices 13, 14 via the network connections 5, 8, 9, 10.

A possible application scenario of the arrangement shown with the IoT computer system 1 and the external devices 13, 14, 15, 16 is, for example, a parking lot system with a barrier system. The webcam 13 records license plates of motor vehicles that enter or leave the parking system. The image data from the webcam 13 is sent to the second virtual operating environment 3 within the physical IoT computer system 1 via the network connection 9. Within the second virtual operating environment 3, the image data of the webcam 13 is processed using one or more virtual applications of an artificial intelligence (AI). This can, for example, be an extraction of letters and numbers from the image data of the webcam 13 and the provision of the Include letters and numbers as a character string. This character string is transferred to the third virtual operating environment 4 within the physical IoT computer system 1 via the network connection 5. Within the third virtual operating environment 4, the character string is compared with stored comparison patterns using one or more virtual applications for complex data processing (CEP). Personal data, e.g. owner data of the motor vehicle, or times, timestamps, credit card details of the owner of the motor vehicle, etc. can also be evaluated here. This data can be stored, for example, in a database within the virtual operating environment 4. In this way, it can be determined whether a motor vehicle with the registered license plate has permitted access to the parking system or a permitted exit from the parking system (e.g. after a valid payment transaction, etc.).

If this is confirmed within the virtual operating environment 4, the virtual operating environment 4 sends a corresponding control signal to the PLC 14 via the network connections 8, 10, which in turn controls the barrier system so that a barrier is opened. The registered motor vehicle can then drive in or out.

Independently and logically separated from the second and third operating environments 3, 4 (operator environment of the parking lot system), a manufacturer, for example of the barrier system or just the IoT computer system 1, which is used in the operator's parking lot system, can be within the manufacturer -Environment 2 collect and evaluate telemetry data from the barrier system or the IoT computer system 1 (e.g. system parameters of the IoT computer system 1) using the management server 15 or via the cloud service or cloud server 16. However, at least within the IoT computer system 1, the manufacturer cannot establish a connection to components of the virtual operating environments 3, 4. The manufacturer therefore does not receive access to data, e.g. image data from the webcam 13 or personal data, e.g. from owners of the identified motor vehicles, within the virtual operating environments 3, 4. Conversely, the operator does not receive access to data, e.g. internal device data, Implementations, etc. either of the IoT computer system 1 as such or of the devices 15, 16 and possibly 14, which are in the hands of the manufacturer.

It is possible that external devices, such as devices 14 and 15, can exchange data via external networks outside of the IoT computer system 1. For example, the PLC 14 can provide the management server 15 with control data (e.g. number of opening and closing processes, error situations or error codes, etc.) of the barrier system. This control data can then be entered by the management server 15 into the virtual operating environment 2 within the IoT computer system 1 and evaluated there for predictive maintenance and checking of the operating behavior of the barrier system. An external connection of the devices 14 and 15 is advantageously secured or implemented in such a way that no unwanted bypass or possibility of manipulation arises between the inherently logically separate virtual operating environments 3, 4 and the virtual operating environment 2. This can be achieved, for example, by not issuing any operator information to be protected from the virtual operating environments 3, 4 to the device 14, but only control data. Conversely, this can be achieved, for example, by not issuing any manufacturer information to be protected from the virtual operating environment 2 to the device 15, but only control data. Corresponding connections can be specifically protected against manipulation, for example via the respective firewalls 17.

The embodiment shown and the application scenario explained are chosen as examples only. Many different designs and applications are conceivable. There are numerous application examples, particularly in the industrial system environment, e.g. in wind power or solar systems or in the industrial production and manufacture of products. The scope of the invention is defined by the appended claims.

In embodiments not shown, the virtual operating environments 3 and 4 can also be logically different from each other be separated to prevent data misuse between these operating environments.

Reference symbol list

1

IoT computer system

2

first virtual operating environment

3

second virtual operating environment

4

third virtual operating environment

5

virtual network connection

6

virtual network connection

7

virtual network connection

8th

virtual network connection

9

physical network connection

10

physical network connection

11

physical network connection

12

physical network connection

13

Webcam

14

Programmable logic controller

15

Management server

16

Cloud server

17

Firewall

Claims (15)

1. Internet-of-Things, IoT, edge computer system, in which a first virtual operational environment (2) and a second virtual operational environment (3) are set up, wherein

   - the first virtual operative environment (2) is set up as a producer environment for collecting, processing and/or querying system data of the edge computer system itself or of one or more external systems or devices (13, 14, 15, 16) connected to the edge computer system,

   - the second virtual operational environment (3) is arranged as an operator environment for collecting, processing and/or controlling operational data from or for the one or more external systems or devices (13, 14, 15, 16),

   - the virtual operational environments (2, 3) are logically separated from each other in such a way that one virtual operational environment (2, 3) has no access to the other virtual operational environment (2, 3),

   - the virtual operational environments (2, 3) are each logically assigned to a communication network via at least one virtual network connection (5, 6, 7, 8), and

   - the virtual network connections (5, 6, 7, 8) are configured in such a way that a connection establishment from the communication network assigned to one of the two virtual operational environments (2, 3) to the communication network assigned to the other virtual operational environment (2, 3) is prevented.
2. The IoT edge computer system according to claim 1, wherein at least one of the virtual operational environments (2, 3) is linked to at least one physical network interface (9, 10, 11, 12) by means of the at least one virtual network connection (5, 6, 7, 8).
3. The IoT edge computer system according to claim 1 or 2, on which a base operating system, in particular a Linux system having a KVM infrastructure, is set up, wherein the configuration of the virtual network connections (5, 6, 7, 8) is predetermined by means of the base operating system.
4. The IoT edge computer system according to claim 3, wherein the configuration of the virtual network connections (5, 6, 7, 8) is fixedly predetermined by means of the base operating system and the edge computer system is set up in such a way that changing the configuration of the virtual network connections (5, 6, 7, 8) by the respective virtual operational environments (2, 3) or from a respective communication network is prevented.
5. The IoT edge computer system according to claim 4, wherein configuration data for configuring the virtual network connections (5, 6, 7, 8) is stored in a protected, in particular write-protected, area of the edge computer system.
6. The IoT edge computer system according to any one of claims 3 to 5, wherein the basic operating system is set up in such a way that a connection establishment in each case from one of the communication networks, in particular from the respective virtual operational environments (2, 3), into the base operating system is prevented.
7. The IoT edge computer system according to any one of claims 1 to 6, wherein the virtual operational environments (2, 3) each comprise one or more firewalls (17) which are set up to control a connection establishment from or to a respective virtual operative environment (2, 3) from or into the logically associated communication network.
8. The IoT edge computer system according to any one of claims 1 to 7, wherein one or more virtual applications for providing predetermined functionalities are set up within the virtual operative environments (2, 3) in each case.
9. The IoT edge computer system according to any one of claims 1 to 8, wherein at least a third virtual operational environment (4) is set up which is logically connected to one of the two virtual operational environments (2, 3).
10. The IoT edge computer system according to claim 9, wherein the third virtual operational environment (4) is logically linked to the corresponding one of the two virtual operational environments (2, 3) via at least one virtual network connection (5, 6, 7, 8), in particular a virtual network bridge.
11. The IoT edge computer system according to any of claims 1 to 10, wherein

    - system data comprises the machine data, controlled variables, measured values or parameters, or

    - the operational data is related to the use of the edge computer system at its place of use and comprises sensor data, control data, plant data, personal data, in particular biometric data, or communication data from or for the one or more external systems or devices (13, 14, 15, 16).
12. The IoT edge computer system according to any one of claims 1 to 11, wherein the virtual operational environments (2, 3) are each logically assigned to the communication network via a virtual network bridge.
13. An arrangement comprising an IoT edge computer system according to any one of claims 1 to 12 and an external system or device (13, 14, 15, 16) to which the edge computer system is connected, wherein the first virtual operational environment (2) is logically linked to the external system or device (13, 14, 15, 16).
14. The arrangement according to claim 13, wherein the external system or device (13, 14, 15, 16) is a sensor, a control device or a processing server or data server, in particular a cloud server.
15. The arrangement according to claim 13 or 14, wherein the IoT edge computer system is connected to a further external system or device (13, 14, 15, 16), the second virtual operational environment (3) being logically linked to the further external system or device (13, 14, 15, 16) .

Images